Todd
On a more serious note though, anyone have any idea why web has become so complicated? When I'm programming for web, I honestly rarely ever enjoy myself because it just seems overly-complicated. I feel like it's more battling with tools/frameworks than actual solving programming problems.
At a guess I'd say that people invent new frameworks to address problems with old frameworks, but actually end up writing something with most of the same old problems and some new ones to boot. Then others write frameworks to address those problems.
Nobody actually goes back to first principles, doing a clean rethink. That's something I want to address with the HMNv2 codebase. It'll provide the necessary FCGI interfaces, robust string handling primitives, threading, hot reloading and a few other bits and bobs.
One of the ways to bake security in from the start is to have data tagged so we can do taint propagation analysis. That's normally a bit expensive, but we can do things much more efficiently in C than in Python or PHP. So, at the end of the day we can implement all of the same logic while tracking where data comes from and where it goes to, and still come out on top.
This means for example you can have an assert fire if you give a string formatting (for templating) procedure some data that hasn't been cleaned yet. If you can run it in debug without asserts firing, you have pretty good idea data isn't going where it shouldn't.
You can even extend this idea by tagging pieces of data with access requirements. When you retrieve a post for example, the IP address could be tagged as being for admins only. Try formatting it for output to a regular visitor, an assert hits. Essentially you can bake part of your policy into the low-level primitives you use to manipulate data, making it really hard to do something unsafe.
Taking that a bit further still, one could imagine that if you can track data through the application and know which user permissions are needed to access it, template caching could be a whole lot smarter.
Anyway, it remains to be seen if that taint propagation stuff will actually pay off, or if it'll end up getting in the way so much we'll end up ditching it. Point being we'll be implementing just the basics you need for any web application. From there it's just backend programming just like any other C program, and the scaffolding is in place to cheaply try things that are actually new and might be useful. If an existing framework has a good idea we can of course reimplement it in C.
TL;DR: Do we want to implement things just because they're in existing frameworks, maybe make them a bit nicer to use, or do we first want to examine whether it's a good idea to begin with?
Toddratchetfreak
(though you really shouldn't code encryption yourself, there's too much that you can do wrong that would break the encryption)
I swear I hear this so much, I almost want to spend like 10 years studying encryption and mathematics just specifically so I can roll my own for the challenge of it, dammit. :P
You can implement your own encryption functions (based on existing algorithms) just don't ever let them go out to user facing interfaces or you'll open it up to side-channel attacks,
most common example you'll hear is the timing attack and avoiding that hole requires deep intimate knowledge of the CPU and its cache behavior. As another example I can hear the electrical noise of my laptop's CPU through the headphones, amplify and record it you can start to analyze the load of the CPU and make guesses about what it was doing down to what message it was decrypting or which key was being used.
Exactly. Guarding against side-channel attacks is a very non trivial task. It requires not only good understanding of math, but also crypto implementation, the protocol where its used (padding modes & friends) and the whole stack it is running on - OS, hypervisor, CPU features (cache behavior), compiler settings and so on.
Here are some good examples of side channel attacks:
* https://www.cs.tau.ac.il/~tromer/handsoff/
* https://www.tau.ac.il/~tromer/radioexp/
* https://www.tau.ac.il/~tromer/mobilesc/
* https://blog.cloudflare.com/paddi...decline-of-cbc-mode-ciphersuites/
* https://blog.cloudflare.com/yet-a...acle-in-openssl-cbc-ciphersuites/
* http://nmav.gnutls.org/2013/02/ti...s-money-for-cbc-ciphersuites.html
* https://www.cs.unc.edu/~reiter/papers/2012/CCS.pdf
* https://www.blackhat.com/docs/us-...mization-KASLR-With-Intel-TSX.pdf
Most of these are very practical ways how to break crypto or other security (VM isolation) features. Some require running attacker software on your machine, but some of them can be performed completely non-intrusively - for example with receiver behind the wall, you won't even know somebody is there.
Here are some good examples of side channel attacks:
* https://www.cs.tau.ac.il/~tromer/handsoff/
* https://www.tau.ac.il/~tromer/radioexp/
* https://www.tau.ac.il/~tromer/mobilesc/
* https://blog.cloudflare.com/paddi...decline-of-cbc-mode-ciphersuites/
* https://blog.cloudflare.com/yet-a...acle-in-openssl-cbc-ciphersuites/
* http://nmav.gnutls.org/2013/02/ti...s-money-for-cbc-ciphersuites.html
* https://www.cs.unc.edu/~reiter/papers/2012/CCS.pdf
* https://www.blackhat.com/docs/us-...mization-KASLR-With-Intel-TSX.pdf
Most of these are very practical ways how to break crypto or other security (VM isolation) features. Some require running attacker software on your machine, but some of them can be performed completely non-intrusively - for example with receiver behind the wall, you won't even know somebody is there.
Edited by Mārtiņš Možeiko
on
rachet and mmozeiko,
Very interesting! Thanks for the info/links. This doesn't surprise me at all. I used to do HAM radio and learned quite a bit about the EM spectrum back then. I'm sure if not by listening with your ears or for audio, you could absolutely listen to a EM pattern in a CPU and try and figure stuff out.
You know, security is so interesting and due to my previous career, I have a deep interest in it, however, it is definitely complicated... I definitely feel like I could drive myself insane trying too hard to make my connections super-top-secret-encrypted-NSA-proof, rather than get anything useful done! However, I will always value my users' security and privacy over everything else when it comes to web applications. For me, priority order looks like this: Security & Privacy -----> Functionality -----> Performance ----> Aesthetics. Probably why I'm not a front-end guy :P
Jeroen van Rijn,
I can't wait to see where your project goes! I don't like to be whiny about web dev, but I'm happy when it leads to useful discussion like this. IMO, just the mere discussion of the issues and how to resolve them is massive. Casey had a Handmade Hero episode where he talked about how he doesn't like when people use "reinventing the wheel" when it comes to software, because we don't have a software wheel yet. I think this point is very valid and applies here as well... People continue to think inside the box and keep throwing framework after framework at problems when we may need to sit back, take a deep breath, and slowly analyze this whole thing and determine what we really need and what we don't.
Very interesting! Thanks for the info/links. This doesn't surprise me at all. I used to do HAM radio and learned quite a bit about the EM spectrum back then. I'm sure if not by listening with your ears or for audio, you could absolutely listen to a EM pattern in a CPU and try and figure stuff out.
You know, security is so interesting and due to my previous career, I have a deep interest in it, however, it is definitely complicated... I definitely feel like I could drive myself insane trying too hard to make my connections super-top-secret-encrypted-NSA-proof, rather than get anything useful done! However, I will always value my users' security and privacy over everything else when it comes to web applications. For me, priority order looks like this: Security & Privacy -----> Functionality -----> Performance ----> Aesthetics. Probably why I'm not a front-end guy :P
Jeroen van Rijn,
I can't wait to see where your project goes! I don't like to be whiny about web dev, but I'm happy when it leads to useful discussion like this. IMO, just the mere discussion of the issues and how to resolve them is massive. Casey had a Handmade Hero episode where he talked about how he doesn't like when people use "reinventing the wheel" when it comes to software, because we don't have a software wheel yet. I think this point is very valid and applies here as well... People continue to think inside the box and keep throwing framework after framework at problems when we may need to sit back, take a deep breath, and slowly analyze this whole thing and determine what we really need and what we don't.
Edited by Todd
on
Thanks guys. Todd the reason I asked that is because I figure if I spend as much time learning the ins and outs of programming rather than a tool I will be better off in the long run. Most of what I see in school is just frameworks on frameworks. The build from scratch makes sense to me for that reason.
kungfoolery
Thanks guys. Todd the reason I asked that is because I figure if I spend as much time learning the ins and outs of programming rather than a tool I will be better off in the long run. Most of what I see in school is just frameworks on frameworks. The build from scratch makes sense to me for that reason.
I agree! Honestly, a lot of school, especially "code schools" and the "coding bootcamps" IMO seem completely awful and like they are training mindless framework drones. They train people who don't know how to program, at all. I do not and never will stand for that. Uncle Bob Martin and Casey both have touched on an interesting point: Most of the best programmers are outside the university/schools, programming is very young compared to other subjects covered in formal education and frankly, they seem sorta behind to be honest. I've taken a couple data structures and algorithms courses from a top university near me and frankly, I learned more online and from "non-formal" means/reading books. The courses tried to teach things such as RegEx and other auxiliary subjects in a haphazard way when those things should have been made prerequisites.
And coding bootcamps serve a purpose of "learn to code quick" but from what I've both seen and heard, they offer a pretty abysmal education, especially for the price. A couple of self-taught friends and I went to a popular coding bootcamp school's hackathon thinking we were going to A) be hassled to sign-up, and B) get schooled.
My team ended up not only winning the hackathon, but the teachers actually asked if I wanted to be a guest speaker or TA at the school... And this wasn't that recent, at that time, I had only been programming for 4 months, total, completely self-taught. The entire time, the students were coming to us for help. Pretty sad for $15,000 they're getting that kind of education when I've paid almost zero aside from a couple university courses and about 15 books.
On top of that, a former military pilot friend of mine used the GI bill and he is currently in another $15,000 bootcamp which is one of the top 3 in the US. Every day he asks me for help because of their lousy teaching, and they're forcing way too much on the students... I have pretty strong feelings because I host a local meetup and many of the attendees are in school. They all come running to me for help because their teacher/professor is absolutely terrible. I had to help a guy with C who spent 5 hours thinking his code was broken when in fact, the IDE was broken to begin with, and he had no idea what a debugger was and didn't have one installed. Guess what happened? He dropped out of the C class even after I helped him. I personally know folks who have been involved in "you'll get a job" programs who... haven't gotten a job and have been rejected due to their lack of knowledge. Anyways, I'm ranting... But yeah, that's how I feel about programming education, lol.
And one last thing, yes, I'm aware that the networking opportunities are good, but I'm speaking of the education alone.
Edited by Todd
on
I actually think most of my school experience will boil down to the networking and not what I learned there. Although there is some architecture stuff and planning things that are good but are also pure OOP so annoying as well.
So if schooling is not where it's at. how would you recommend someone bridge the gap from self taught to employable? And how do you know when you're ready. I have yet to watch the handmade job advice posts but I figure it's good to grab from many sources.
So if schooling is not where it's at. how would you recommend someone bridge the gap from self taught to employable? And how do you know when you're ready. I have yet to watch the handmade job advice posts but I figure it's good to grab from many sources.
kungfoolery
I actually think most of my school experience will boil down to the networking and not what I learned there. Although there is some architecture stuff and planning things that are good but are also pure OOP so annoying as well.
So if schooling is not where it's at. how would you recommend someone bridge the gap from self taught to employable? And how do you know when you're ready. I have yet to watch the handmade job advice posts but I figure it's good to grab from many sources.
I highly recommend you watch this video. If you have to watch a few mins a day, do it, it's not just inspiring but very informative and spot-on with what I've heard universally: Work on projects that interest you, write good code, and put it in your portfolio.
Another source: Mike Acton's interview at Handmade Con
I also have personal friends who recently got jobs, some as young as 19 with no college education at all, and the general conensus seems to be: A combination of projects in your portfolio demonstrating expertise in what the company in question is looking for, networking, and "likeability." I've heard an awful lot of bad about programmers who don't program on their own time, seem bored, are just mean, just sit in their room and never network with anyone, etc...
I hadn't heard of it before, Todd. That's indeed pretty neat.